Christmas, Seafood and Phishing

Well, only Christmas and Phishing are relevant to this
article, the seafood just got me from one to the other!

How are these two things related (apart from the seafood)?

It has long been suspected, and the recent ransomware and
data disclosure breaches seem to confirm it, that the weakest link in the IT
security chain is often the human one.

Human psychology plays an important part in any vulnerability to phishing, and a number of factors come together around Christmas time that tends to make us humans a little more vulnerable than usual.

More than ever, we are conducting more of our shopping
on-line and Christmas is expected to be a peak time for this activity. Online
shoppers will have bought from a number of outlets, probably paid using a
number of different methods, and arranged shipping and tracking through more
than a single carrier.

It is not to be unexpected that you will get an occasional
email confirming a purchase, despatch of goods, or similar correspondence from
this activity.

As Christmas draws near, we may also get unsolicited Merry Xmas
emails from real friends, Facebook friends, relatives, clients and customers.

On top of that, people tend to be focussed more on being
sociable (replying to emails), preparing for the festive break, and just
being
a little more distracted than they might be at other times.

Into this mix arrives the phishing email.

When an email from (say) FedEx arrives with a message about
your missed delivery (potentially throwing some Christmas plans into disarray),
will you take the time to check it and confirm it is legitimate?

Too many will think it is related to a legitimate purchase
they did make, which did use FedEx for shipping, etc.

Phishing is not confined to email, but can be found in near
every form of public digital communication, including “traditional” social
media platforms like Twitter and Facebook, as well as more specific
environments and services such as LinkedIn and PayPal.

Generally, there are 5 or so categories of phishing, which
in increasing order of sophistication can be described as follows:

Deceptive Phishing

Currently, probably the most common format where the fraud
is conducted by impersonating another, legitimate, company. Typically, the
message is generic and includes an implied threat and a sense of urgency that
the reader “act now”. These are usually relatively easy to spot if you know
what to look for, and generic in their content and language.

Spear Phishing

These are a more targeted and personalised variant of the
simple deceptive phishing attempt. The communication will be personalised
(addressing you by name) and often include some details which imply a
legitimate connection with the reader, including phone numbers, employer,
position/title, etc.

LinkedIn is one of the most commonly used platforms for
these sorts of scams.

The end goal is much the same, the fraud is perpetrated in
an attempt to get access to personal data, ideally logon and password details.

CEO Phishing
(Whaling)

Taking the Spear Phishing approach one step further, this
type of attack is targeted at senior executives of corporations (which includes
owners and managers of an SME) with the purpose of getting access to not just the
personal details so much as access to the corporation.

Executives typically do not engage in the same security
awareness training as employees, and are targeted because of their high value –
either direct access to corporate data or the ability for the fraudster to
impersonate the executive and issue seemingly legitimate directives to make
payments, change supplier accounts, etc.

Protection against this sort of fraud often extends to
organisational policy/procedural changes, for example ensuring no single person
can authorise financial transactions.

Pharming

This type of attack relies on the attacker’s ability to
compromise parts of the internet infrastructure itself, typically by what is
known as “DNS cache poisoning”.

The short version is the attacker is able to compromise a
DNS server such that when a request is made to look up a genuine URL (e.g.
www.microsoft.com) by your browser, the “poisoned” DNS server returns a
different and fake IP address. Your browser goes to that computer and attempts
to load the page, and what happens next depends very much on what the fraudster
has put there. It might look sufficiently like the legitimate site that you end
up providing your login details or worse, the page downloads some malware.

Protection includes ensuring you always and only enter login
credentials on secure (https)
links, and verify that the certificate supplied to your browser matches the
company you think it belongs to.

DropBox Phishing

This is a specific example where the fraud does not rely on baiting the potential victim,
but instead uses knowledge of a person or company behaviour and practices to
leverage another service (or sometimes company).

The prevalence of DropBox for storing files and backups etc.
made it a high value target for both harvesting login credentials, as well as
tricking people into installing malware from what they thought were their own
files or backups. One scam used a Dropbox like login page hosted on DropBox
itself to steal people’s login details.

Google Docs was targeted in exactly the same way, with the
fake login page not only hosted by Google, but also protected with a legitimate
Google SSL certificate!

Two factor authentication (2FA) or two factor verification
(2FV) are ways to protect yourself, so that simply knowing the username and
password is not enough on its own to access the account.